Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3048

"Local" authentication fails when LDAP is used for ManagementRealm

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 8.0.0.Final
    • Fix Version/s: 8.1.0.CR1, 8.1.0.Final
    • Component/s: Security
    • Labels:
      None
    • Environment:

      Ubuntu 13.04, Xeon-based VPS

    • Steps to Reproduce:
      Hide

      1. Configure the ManagementRealm to use LDAP authentication.
      2. Also enable local authentication for the same realm.
      3. Attempt to invoke a command via jboss-cli, locally.
      4. Note that you are prompted for a username and password (should use local auth, requiring no prompt.)
      5. Remove LDAP authentication from ManagementRealm.
      6. Attempt to invoke the same command again via jboss-cli, locally.
      7. Note that the command is carried out without a username and password prompt.

      Show
      1. Configure the ManagementRealm to use LDAP authentication. 2. Also enable local authentication for the same realm. 3. Attempt to invoke a command via jboss-cli, locally. 4. Note that you are prompted for a username and password (should use local auth, requiring no prompt.) 5. Remove LDAP authentication from ManagementRealm. 6. Attempt to invoke the same command again via jboss-cli, locally. 7. Note that the command is carried out without a username and password prompt.
    • Affects:
      Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration
    • Bugzilla Update:
      Perform

      Description

      When LDAP is used for authentication in ManagementRealm, "local" authentication, which is enabled in configuration for the realm, appears to stop working.

      I have configured my ManagementRealm to use LDAP for authentication of remote clients. However, I also need to allow local authentication without a username and password, for when jboss-cli is invoked from the command line on the server. This is needed in order for the wildfly-init-debian.sh script to shut down the server. I have configured the ManagementRealm as follows:

      <security-realm name="ManagementRealm">
      <authentication>
      <local default-user="$local" />
      <ldap connection="..." base-dn="ou=accounts,dc=..." recursive="false">
      ...
      </ldap>
      </authentication>
      <authorization map-groups-to-roles="false">
      <ldap connection="...">
      ...
      </ldap>
      </authorization>
      </security-realm>

      I left out most of the LDAP configuration because I don't think it is important for this issue. LDAP authentication works fine for remote clients. In fact, it works fine for local clients as well--when I invoke jboss-cli with LDAP authentication enabled, it prompts for a username and password; if I enter a valid combination from the LDAP directory, jboss-cli connects successfully and executes its command.

      The problem is that I need it to NOT prompt for a username and password when jboss-cli is invoked locally. Which, I believe, is how things are supposed to work when "local" authentication is also enabled; it just doesn't work that way when LDAP is enabled for the same realm.

      If I comment out the <ldap .../> element in <authentication> for the realm, local authentication starts working again. I can invoke jboss-cli locally and the command is carried out without a username and password prompt. Re-enable LDAP, with no other configuration changes, and again it flips back to requiring a username and password.

      I have tried replacing "$local" in the @default-user element of the <local> element with a valid name from the LDAP directory, both as a simple username and as a full DN, and jboss-cli still prompts for a username and password.

      The modification date on the [tmp/auth] directory changes when I run jboss-cli with LDAP in place and get the username/password prompt, so it appears that the client is putting a token in there to try to use local authentication. The server just never picks it up.

      The documentation specifically mentions that <local/> should work along with <ldap/> here:
      https://docs.jboss.org/author/display/WFLY8/Security+Realms

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  mattj6502 Matt Jensen
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: